The ATO Lifecycle
Account Takeover, or ATO, is a term that has become all too familiar. Credentials exposed in 3rd party breaches are now routinely used by criminals to perpetrate fraud, steal intellectual property and sell it on underground markets. ATOs are quick, scale rapidly and cause collateral damage that can last for years.
While many ATO prevention products claim to stop ATO altogether, the truth is no single strategy is foolproof. As with any security problem, there is no such thing as 100% protection. If ATOs could be stopped 100% of the time, why are the number and breadth of attacks only increasing, despite all of the new prevention products and all of the sales claims?
Before we can touch on prevention efforts, we have to understand the timeline of ATO.
Phase 1 – The Breach
Criminals find and exploit vulnerabilities in popular websites and forums to gain access to their user database. Think Yahoo, Dropbox and Equifax. These publicized breaches impacted more than a billion people and not only exposed these users’ passwords, but even more sensitive information like account questions/answers, dates of birth, gender, etc.
Phase 2 – Targeted Attacks
During this time, credentials are high-value assets. Criminals typically keep stolen information contained within their trusted network until they’ve fully monetized the data. After harvesting a stolen dataset, the attacker may engage trusted advisors to help them parse the data and decrypt passwords. They identify exceptionally wealthy or high-profile victims who should be treated differently than the rest, and get creative in targeting them with manual account takeover and beyond — i.e. blackmail and extortion.
Phase 3 – The Sale
Having extracted as much value out of the stolen data as possible, the next step is to package it for sale to less sophisticated criminals, who can automate credential stuffing attacks with minimal effort, expense or expertise. Essentially, at this point the stolen credentials have become commodities.
Phase 4 – Credential Stuffing
Once criminals have purchased a list of usernames and passwords, they attempt to enter the same credentials on multiple other websites in a process called credential stuffing. Criminals can download easy-to-use tools and scale up their attacks with the use of automated botnets. Because so many people reuse passwords on multiple accounts out of convenience, this hacking method can be quite lucrative and relatively easy. But eventually the volume of attacks using the exposed credentials surges to the point where the public becomes aware of the need to change their password, and the value to criminals substantially diminishes.
An Ounce of Prevention
For companies who recognize that it’s not a matter of if but when, the real power lies in preventative steps. Unfortunately, many well-intentioned security professionals believe they are protecting their company and employees from ATO if they invest in behavior-based technologies. Maybe a password manager? Multi-factor authentication will solve the problem, right?
According to a recent report, the use of stolen credentials is the #1 way criminals gain access to corporate networks and the sensitive information within. Not much has changed over the last few years, with 80%+ of hacking-related breaches still involving compromised and weak credentials, and 29% of all breaches, regardless of attack type, involving the use of stolen credentials.
The truth is, behavior-based technologies, password managers, password rotation, multi-factor authentication and scanner solutions are not effective security controls when used alone. They do not prevent account takeover, do not alert security/IT personnel of ATO and do not provide the means by which leaders can find exposed credentials on the underground. Protection from account takeovers requires more.
Step 1: Fortify Passwords
The key to stopping account takeover fraud is to prevent it in the first place. A proactive strategy is much more effective than constantly playing defense. To truly prevent account takeover before it happens, companies must first prevent employees from choosing previously compromised and/or too simple passwords. This begins with educating employees on the importance of choosing unique, strong passwords that they can remember but are difficult to guess. NIST guidelines changed to recommend the same. They recognized that 16-character, random and difficult passwords may fool the criminals, but they are nearly impossible to remember by the user.
The compromise is to follow NIST password standards and implement an automated password check into the user registration process. The preventative solution cross-checks each attempted password creation against a database containing previously exposed passwords. If a match is found or the password is too simple, the user is prevented from registering their account until they choose a stronger one that has not been compromised. The quality, breadth and timeliness of this database are critical. If the database is partial or isn’t updated to contain real-time data, matches are likely to be missed.
Step 2: Intervene Early
The next step is to prevent any stolen credentials from being sold to the communities of criminals in the underground. Typically once compromised passwords are discovered by scanners, crawlers and scrapers, the damage has been done. The credentials have already been sold on public forums.
When passwords are strong, unique and have never been compromised, account takeover resulting from password reuse is unlikely. Proactively protecting accounts that are currently exposed to ATOs, however, requires sophisticated technology that accesses the same data as the criminals. If a company is relying on scanners, web crawlers and forum scrapers, they may only find an exposure late in the ATO lifecycle. By then, the stolen credentials have already been sold to criminal communities. At this point, all that can be done is attempt to control the damage.
Step 3: Stop the Bleed
If credentials are found to be exposed, an effective security solution will be able to automatically and instantly force a password reset. The user is locked out of all accounts until they change their password to a unique, strong and previously unexposed password. Administrators should be alerted and the account should be monitored for suspicious activity for the long haul.
It is recommended that the user with the stolen credentials survey all of their accounts, personal and work-related, to ensure the password and any variations are not being used anywhere else. Once a password is compromised, it is highly likely that it will fall victim to credential stuffing to see if there is a match in any other application or website. Changing all instances of this password is critical.
Choose the Right ATO Prevention Solution
By using the right ATO prevention solution, your fraud investigators should be able to discover and mitigate the collateral damage of third party access early in the ATO lifecycle. Using human intelligence (HUMINT) and applied research, the solution should flag your user exposures from 3rd party breaches well before they are found with scanners, web crawlers and forum scapers and before the stolen credentials are sold on the underground. Your solution should also find and identify internal machines that may be infected with malware, monitor suspicious activity and attempt to recover any stolen data.
Some solutions will send all events to their customer’s SIEM or Threat Intel Platform (TIP) using an API, specific apps, such as AlienVault or Splunk, or any system that can input CSV. This step ensures companies stay up to date on all security vulnerabilities with integrated data that gives them the whole picture.
In the end, protection from account takeover requires insight into the entire ecosystem. It must offer constant monitoring of every employee and/or customer account, constant cross-checking against a robust database of the most current data available, proactive measures to take immediate action, and integration with existing systems. Employee education is a must. They are your most valued asset and your biggest liability. The point isn’t to establish more roadblocks but to empower them to be smarter in protecting their own identities.